It is common for victims of healthcare data breaches to take legal action against healthcare organizations that have experienced cyberattacks and data theft incidents. In order for lawsuits to have standing, the plaintiffs must usually demonstrate they have suffered actual harm as a result of the breach.
Recently, a federal judge recommended a lawsuit against Practicefirst Medical Management Solutions, which experienced a ransomware attack that affected more than 1.2 million individuals, be dismissed as the claims of harm were deemed to be too speculative, even though the ransomware gang had exfiltrated the plaintiffs’ and class members’ personal data.
When lawsuits are allowed to proceed, it is common for the defendants to agree to settle the litigation, even if they maintain there has been no wrongdoing. While the cost of settling litigation can be high, it is often viewed as preferable to the uncertainty of trial and to avoid the cost of ongoing litigation, as was the case with lawsuits filed against the healthcare clearinghouse Inmediata and the pharmacy solution provider CaptureRx.
Inmediata Settles Class Action Lawsuit for $1.125 Million
Inmediata Health Group, a Puerto Rico-based provider of healthcare clearinghouse and management solutions, discovered a misconfiguration on its website which allowed internal webpages to be accessible over the Internet. The internal web pages contained sensitive patient data and had been indexed by search engines and could be found in search engine listings. The web pages contained the protected health information (PHI) of 1.5 million individuals.
Affected individuals were notified about the exposure of their data in April 2019 and legal action was taken by victims of the data breach. The lawsuit alleged security failures at Inmediata exposed sensitive data such as names, addresses, dates of birth, Social Security numbers, and claims information, and Inmediata took too long to send notification letters.
While Inmediata admitted to the misconfiguration error, it said there was no evidence of data theft or misuse of PHI. Inmediata chose to settle the lawsuit and agreed to make $1.125 million available to cover claims for documented losses from the plaintiffs and class members and will cover the cost of credit monitoring services.
“Inmediata denies these and all other claims made in the lawsuit. The Court has not decided that Inmediata did anything wrong and the Settlement does not mean Inmediata is admitting that it did anything wrong. Both the Plaintiffs and Inmediata believe that the Settlement is fair, adequate, and reasonable and that it is in the best interests of the Settlement Class,” said Inmediata.
CaptureRx Agrees $4.75 Million Settlement to Resolve Class Action Lawsuit
CaptureRx, a San Antonio, TX-based provider of pharmacy solutions to help hospitals manage their 340B drug discount programs, has agreed to settle proposed class action lawsuits filed by victims of a 2021 cyberattack and data breach that resulted in the theft of the PHI of around 2.4 million individuals.
CaptureRx detected unusual activity in its computer systems in February 2021, and determined unauthorized individuals had accessed files containing names, dates of birth, and the prescription information of patients of more than 170 healthcare provider clients.
The decision was taken to settle the litigation as CaptureRx said it would face bankruptcy if the litigation continued. CaptureRx CEO Christopher Hotchkiss said he would strongly consider bankruptcy if the settlement is rejected. Under the terms of the settlement, which is deemed to be fair by the plaintiffs’ lawyers, CaptureRx will make $4.75 million available to cover claims from the plaintiffs and class members, with the plaintiffs due to receive around $2,000 each and breach victims entitled to submit claims of up to $25, and $75 if they were residents of California at the time of the data breach. CaptureRx is also required to implement and maintain a comprehensive information security program.
“By settling now, the settlement class can take advantage of remedies that would be unavailable or worth substantially less by the time of a litigated final judgment,” according to CaptureRx. Around half of the proposed settlement is being covered by its insurer.
CaptureRx is seeking preliminary approval of the settlement from the court, with the final settlement, if approval is received, due in around 100 days.